[Zope-CMF] Re: How to make your CMF portal "Members Only"

Ben Gustafson cbg3@earthlink.net
Tue, 20 Aug 2002 09:23:32 -0400


Hello Ausum,

> Date: Mon, 19 Aug 2002 03:21:18 -0500
>
> Ben, your workaround could be ignoring a potential security issue. Every
> other method not using standard_html_header (in the case of DTML skins),
> will be exposed as long as it contains 'published' CMF content. Regular
> users may not know which are these methods, but they will still be there.

I'm not sure I follow where the potential security issue comes into play. If
an unauthenticated visitor attempts to access any method other than the
login_form, including those using ZPT instead of DTML (see steps 3 and 4),
they are redirected to the login_form method. How is that a security issue?

I agree that there are probably better ways of making a "Members Only" CMF
site, including your suggestion of restricting the View permission on
Published content to Members only, and probably Chris's suggestion to delete
the cookie_authentication object (haven't tested that yet). My method was
borne out of the frustration of finding scant documentation on how to
restrict access to a CMF site, and having those suggestions and the Private
Plone site creation feature of Plone 1.0 alpha 3 all create the infinite
redirect loop that you noted.

--Ben